Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
offjetsew3321.exe
Resource
win7-20221111-en
General
-
Target
offjetsew3321.exe
-
Size
228KB
-
MD5
98f963b9d7225413ec18f48a473c1f40
-
SHA1
1272577d90b8d212416732e54258b136cbd2f3d3
-
SHA256
36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c
-
SHA512
778b186ef6c85651bb722701ee77785aed3bd51048a3ecd12423779c8b1ac640eea61a85712ceb03be48916b8c20c587adc4ee9f625f3a4b96a442f9b550b579
-
SSDEEP
6144:QBn1yQEl9B3my7WMRNICK7WtIGpUv82m+mLZxhhO4+/:gnEl9Iy7zRNI7BGpU4L1J+/
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3560-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3560-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4460-148-0x0000000000A30000-0x0000000000A5F000-memory.dmp formbook behavioral2/memory/4460-151-0x0000000000A30000-0x0000000000A5F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
nfvyobds.exenfvyobds.exepid process 636 nfvyobds.exe 3560 nfvyobds.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nfvyobds.exenfvyobds.exenetsh.exedescription pid process target process PID 636 set thread context of 3560 636 nfvyobds.exe nfvyobds.exe PID 3560 set thread context of 2932 3560 nfvyobds.exe Explorer.EXE PID 4460 set thread context of 2932 4460 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
nfvyobds.exenetsh.exepid process 3560 nfvyobds.exe 3560 nfvyobds.exe 3560 nfvyobds.exe 3560 nfvyobds.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe 4460 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2932 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
nfvyobds.exenfvyobds.exenetsh.exepid process 636 nfvyobds.exe 3560 nfvyobds.exe 3560 nfvyobds.exe 3560 nfvyobds.exe 4460 netsh.exe 4460 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nfvyobds.exenetsh.exedescription pid process Token: SeDebugPrivilege 3560 nfvyobds.exe Token: SeDebugPrivilege 4460 netsh.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
offjetsew3321.exenfvyobds.exeExplorer.EXEnetsh.exedescription pid process target process PID 920 wrote to memory of 636 920 offjetsew3321.exe nfvyobds.exe PID 920 wrote to memory of 636 920 offjetsew3321.exe nfvyobds.exe PID 920 wrote to memory of 636 920 offjetsew3321.exe nfvyobds.exe PID 636 wrote to memory of 3560 636 nfvyobds.exe nfvyobds.exe PID 636 wrote to memory of 3560 636 nfvyobds.exe nfvyobds.exe PID 636 wrote to memory of 3560 636 nfvyobds.exe nfvyobds.exe PID 636 wrote to memory of 3560 636 nfvyobds.exe nfvyobds.exe PID 2932 wrote to memory of 4460 2932 Explorer.EXE netsh.exe PID 2932 wrote to memory of 4460 2932 Explorer.EXE netsh.exe PID 2932 wrote to memory of 4460 2932 Explorer.EXE netsh.exe PID 4460 wrote to memory of 4052 4460 netsh.exe cmd.exe PID 4460 wrote to memory of 4052 4460 netsh.exe cmd.exe PID 4460 wrote to memory of 4052 4460 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\offjetsew3321.exe"C:\Users\Admin\AppData\Local\Temp\offjetsew3321.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe"C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe" C:\Users\Admin\AppData\Local\Temp\jhknljkson.ade3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe"C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe" C:\Users\Admin\AppData\Local\Temp\jhknljkson.ade4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jhknljkson.adeFilesize
5KB
MD5a01427ca1c1582996464569f7698d06c
SHA177afe61bc26385d7f334091cedc82c07045bbefd
SHA2560d4b7dad87d14f15d860d0699dcd9613a074ba389653ba6c11fde1c886c7b1f0
SHA512f36d126d8d43ad8292740e3c344fe6c86d5d7491bb29f14c45fd3193d7bfb3985d64b0e40acd5f18c6402361ee982b124907a777a420637ed1b935aa5a0a82fb
-
C:\Users\Admin\AppData\Local\Temp\kvpxu.xyqFilesize
185KB
MD5c059805868cd8cb1a7e2249d8a5d169c
SHA1a6fa675a027113edff5bec4c21ade795da0e2028
SHA256bce097be8bba40084ad6a4bd1b5bc40d43dd4f44abdce4bec246947b089ac938
SHA512449ff100f77af907ba2bb93c7520344f8dcabb887c9aedf053d8e31bd05e7f2f2bec7eb6ea82887f6d79d8fa46e0f62e36d4968a6f3bbe759228e6cbae247fac
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exeFilesize
59KB
MD5d660fe612ef6aa2af1d2ce26d213d38e
SHA16055e297bfc1a2cdf34ea79d17b3150e16231273
SHA25615c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2
SHA5120de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exeFilesize
59KB
MD5d660fe612ef6aa2af1d2ce26d213d38e
SHA16055e297bfc1a2cdf34ea79d17b3150e16231273
SHA25615c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2
SHA5120de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8
-
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exeFilesize
59KB
MD5d660fe612ef6aa2af1d2ce26d213d38e
SHA16055e297bfc1a2cdf34ea79d17b3150e16231273
SHA25615c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2
SHA5120de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8
-
memory/636-132-0x0000000000000000-mapping.dmp
-
memory/2932-142-0x0000000008190000-0x00000000082C0000-memory.dmpFilesize
1.2MB
-
memory/2932-152-0x0000000002DD0000-0x0000000002EA0000-memory.dmpFilesize
832KB
-
memory/2932-150-0x0000000002DD0000-0x0000000002EA0000-memory.dmpFilesize
832KB
-
memory/3560-137-0x0000000000000000-mapping.dmp
-
memory/3560-141-0x0000000000E70000-0x0000000000E84000-memory.dmpFilesize
80KB
-
memory/3560-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3560-140-0x00000000009A0000-0x0000000000CEA000-memory.dmpFilesize
3.3MB
-
memory/3560-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4052-145-0x0000000000000000-mapping.dmp
-
memory/4460-143-0x0000000000000000-mapping.dmp
-
memory/4460-146-0x0000000000CC0000-0x0000000000CDE000-memory.dmpFilesize
120KB
-
memory/4460-147-0x0000000001400000-0x000000000174A000-memory.dmpFilesize
3.3MB
-
memory/4460-148-0x0000000000A30000-0x0000000000A5F000-memory.dmpFilesize
188KB
-
memory/4460-149-0x00000000011A0000-0x0000000001233000-memory.dmpFilesize
588KB
-
memory/4460-151-0x0000000000A30000-0x0000000000A5F000-memory.dmpFilesize
188KB